MediaTek security vulnerability patched by Google

News by Mark Mayne

MediaTek-su bug impacted huge numbers of mid-range Android devices, including the ones from Amazon, Nokia and LG

Google has patched a long-running critical flaw on many MediaTek devices, which can be exploited to enable temporary root access. It was reported that the flaw -- dubbed MediaTek-su -- has been out in the wild for close to a year.

Tracked as CVE-2020-0069, the vulnerability affects the MediaTek Command Queue driver, and was first discovered in February 2019 by a developer looking for a way to root Amazon's Fire tablets. That original discovery led to the creation of a script that could be used to temporarily gain root access on Fire tablets. 

While this was designed to allow rooting of Amazon devices, the exploit works on any unpatched Android device with Linux Kernel versions 3.18, 4.4, 4.9, or 4.14 running Android versions 7 Nougat, 8 Oreo, or 9 Pie with MediaTek chips - a full list shared by XDA Developers includes Amazon, Nokia and LG. The exploit only allows root access until the next reboot of the device.

XDA Developers reported that the security vulnerability appeared in developer forums as early as April 2019.

While Google has now patched the flaw, some OEMs had already issued fixes based on MediaTek patches, including Amazon, while other manufacturers have modified the kernel to defeat the exploit, including Vivo, Huawei/Honor, Oppo, and Samsung. MediaTek devices running Android 10 are not vulnerable since "the access permission of CMDQ device nodes is also enforced by SELinux", according to MediaTek.

“It is a known secret that Android devices are full of vulnerabilities and it is a constant battle between manufacturers & carriers to discover and patch them. The main challenge is that the Android OS is part of a complex ecosystem where manufacturers, network carriers, and end-users must work in perfect harmony to discover and patch security flaws before cyber criminals discover and exploit them for malicious gains. This won't go away anytime soon,” said Marco Essomba, Founder, iCyber-Security. 

As more organisations adopt a BYOD policy, a defence in depth approach is key to staying one step ahead of cyber-criminals, Essomba explained.

“For organisations that allow their employees to bring their own devices, including Android, implementing a corporate mobile device management policy is key. This allows organisations to enforce mobile device security policies. For example, the corporate policy can detect rooted devices and block access to corporate apps or sensitive data. Moreover, the corporate policy can detect and stop devices that are not patched or not running the latest security updates,” he said.

The vulnerability has been documented as being used in the wild. A security report from TrendMicro in January highlighted several Play Store apps that were using either the MediaTek-su or CVE-2019-2215 to gain root access. 

"Vulnerabilities in Android may not be uncommon, but it is rarer to find examples of such severity being actively exploited in the wild. Such an exploit can be used to create 'auto-rooting' malware that can easily be embedded and distributed in seemingly innocuous apps. We saw similar techniques used with LevelDropper that was present in the Play Store in 2016,” said Tom Davison, technical director - international at Lookout.

“Once installed, infected apps can silently root devices, giving attackers numerous capabilities, such as further app installation, end user surveillance or data theft, all without the device owner being aware. The advice to users is to install the latest security patches, avoid downloading apps from unknown stores or via links and be vigilant for signs of abnormal device behaviour.  For added peace of mind, use a mobile endpoint security solution that can monitor for app behaviour and device compromise. Enterprises should adopt a mobile vulnerability management program, extending day-to-day management of security patches to their mobile fleet," he added.

The full list of devices originally affected by the MediaTek-su bug:

  • Acer Iconia One 10 B3-A30

  • Acer Iconia One 10 B3-A40

  • Alba tablet series

  • Alcatel 1 5033 series

  • Alcatel 1C

  • Alcatel 3L (2018) 5034 series

  • Alcatel 3T 8

  • Alcatel A5 LED 5085 series

  • Alcatel A30 5049 series

  • Alcatel Idol 5

  • Alcatel/TCL A1 A501DL

  • Alcatel/TCL LX A502DL

  • Alcatel Tetra 5041C

  • Amazon Fire 7 2019 (up to Fire OS 6.3.1.2)

  • Amazon Fire HD 8 2016 (up to Fire OS 5.3.6.4)

  • Amazon Fire HD 8 2017 (up to Fire OS 5.6.4.0)

  • Amazon Fire HD 8 2018 (up to Fire OS 6.3.0.1)

  • Amazon Fire HD 10 2017 (up to Fire OS 5.6.4.0)

  • Amazon Fire HD 10 2019 (up to Fire OS 7.3.1.0)

  • Amazon Fire TV 2 (up to Fire OS 5.2.6.9)

  • ASUS ZenFone Max Plus X018D

  • ASUS ZenPad 3s 10 Z500M

  • ASUS ZenPad Z3xxM(F) MT8163-based series

  • Barnes & Noble NOOK Tablet 7" BNTV450 & BNTV460

  • Barnes & Noble NOOK Tablet 10.1" BNTV650

  • Blackview A8 Max

  • Blackview BV9600 Pro (Helio P60)

  • BLU Life Max

  • BLU Life One X

  • BLU R1 series

  • BLU R2 LTE

  • BLU S1

  • BLU Tank Xtreme Pro

  • BLU Vivo 8L

  • BLU Vivo XI

  • BLU Vivo XL4

  • Bluboo S8

  • BQ Aquaris M8

  • CAT S41

  • Coolpad Cool Play 8 Lite

  • Dragon Touch K10

  • Echo Feeling

  • Gionee M7

  • HiSense Infinity H12 Lite

  • Huawei GR3 TAG-L21

  • Huawei Y5II

  • Huawei Y6II MT6735 series

  • Lava Iris 88S

  • Lenovo C2 series

  • Lenovo Tab E8

  • Lenovo Tab2 A10-70F

  • LG K8+ (2018) X210ULMA (MTK)

  • LG K10 (2017)

  • LG Tribute Dynasty

  • LG X power 2/M320 series (MTK)

  • LG Xpression Plus 2/K40 LMX420 series

  • Lumigon T3

  • Meizu M5c

  • Meizu M6

  • Meizu Pro 7 Plus

  • Nokia 1

  • Nokia 1 Plus

  • Nokia 3

  • Nokia 3.1

  • Nokia 3.1 Plus

  • Nokia 5.1

  • Nokia 5.1 Plus/X5

  • Onn 7" Android tablet

  • Onn 8" & 10" tablet series (MT8163)

  • OPPO A5s

  • OPPO F5 series/A73 (Android 8.x only)

  • OPPO F7 series (Android 8.x only)

  • OPPO F9 series (Android 8.x only)

  • Oukitel K12

  • Protruly D7

  • Realme 1

  • Sony Xperia C4

  • Sony Xperia C5 series

  • Sony Xperia L1

  • Sony Xperia L3

  • Sony Xperia XA series

  • Sony Xperia XA1 series

  • Southern Telecom Smartab ST1009X (MT8167)

  • TECNO Spark 3 series

  • Umidigi F1 series

  • Umidigi Power

  • Wiko Ride

  • Wiko Sunny

  • Wiko View3

  • Xiaomi Redmi 6/6A series

  • ZTE Blade A530

  • ZTE Blade D6/V6

  • ZTE Quest 5 Z3351

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews